I'm working on a small Java package to assist users with changing their password in an LDAP directory. It should be usable with minimal knowledge about the exact server implementation and user schema. Ideally, the package would allow a password to be changed with just four parameters:
1. The LDAP server URL
2. The user DN
3. The current user password
4. The new user password
I began coding a method to auto-detect the proper password change procedure.
I'm now able to check for the availability of an LDAPv3 "Password
modify" extended operation (RFC-3062) which covers all recent OpenLDAP
implementations. Failing this check, I'm also able to detect the
"userPassword" attribute and whether it has a hash applied to it (by
looking for an "{MD5}", "{SHA}", etc. prefix), which should cover other
"standard" LDAP directories.
What is left now is detection of MS Active Directory servers, which have
their own "unicodePwd" attribute and password change policy. But how to
detect that? According to the MS spec the "unicodePwd" cannot be read or
queried. Also, the root DSE of MS-AD doesn't include a "vendorName" to
indicate that this is indeed an Active Directory. So now I've got to
think of some indirect way of MS-AD detection (e.g. by looking up other
MS-only specific entries in the root DSE), or perhaps attempting a blind
"unicodePwd" update.
Any helpful suggestions?
Vladimir
--
Vladimir Dzhuvinov * www.dzhuvinov.com * PGP key ID AC9A5C6C
signature.asc
Description: OpenPGP digital signature
